← Home

Data Processing Agreement

Last updated: 2026-05-04 · Version 1.0

1. Parties & Scope

This Data Processing Agreement ("DPA") forms part of the Agreement between XRoof ("Processor") and the contractor user ("Controller") and applies to the extent the Controller's processing of Personal Data through XRoof is subject to the EU/UK General Data Protection Regulation, the California Consumer Privacy Act / California Privacy Rights Act (collectively, "CCPA"), or other comparable privacy laws.

2. Definitions

"Personal Data," "Processing," "Data Subject," "Controller," and "Processor" have the meanings set forth in the GDPR. "Personal Information" has the meaning set forth in the CCPA. "Sub-processor" means any third party engaged by Processor to Process Personal Data.

3. Roles & Subject-Matter of Processing

Processor will Process Personal Data on behalf of and only on documented instructions from Controller. The subject matter of Processing is the operation of XRoof (CRM, estimates, contracts, invoices, customer portal, scheduling). The duration is the term of the Agreement plus any retention period in the Privacy Policy.

4. Categories of Data Subjects & Personal Data

  • Data subjects: Controller's homeowner customers, leads, and team members.
  • Personal data categories: name, postal/email address, phone number, signature image, project address, photographs of property, payment metadata (no card numbers — Stripe is the payment processor of record).

5. Processor Obligations

  • Process Personal Data only on documented instructions from Controller (including transfers, except where required by law).
  • Ensure persons authorized to Process the Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures (encryption in transit and at rest, access controls, audit logging — see Section 9).
  • Assist Controller in responding to Data Subject requests within timeframes required by law.
  • Notify Controller without undue delay (within 72 hours where feasible) after becoming aware of a Personal Data breach.
  • Make available all information necessary to demonstrate compliance with this DPA and allow audits in accordance with Section 8.

6. Sub-processors

Controller authorizes Processor to engage the Sub-processors listed below for Processing Personal Data:

  • Supabase, Inc. — managed Postgres database, file storage, authentication. (US, EU regions available.)
  • Vercel Inc. — application hosting + edge network.
  • Stripe, Inc. — payment processing (PCI-DSS compliant; XRoof never sees card data).
  • Resend — transactional and marketing email delivery.
  • Anthropic / OpenAI — only for explicitly opted-in AI features; no Personal Data is sent to model providers without an opt-in.

Processor will give Controller at least 30 days' written notice (via email or in-app banner) of any new Sub-processor or replacement, and Controller may object on reasonable grounds before the change takes effect.

7. International Transfers

Where Processing involves transfers of Personal Data from the EU/UK/Switzerland to a country not deemed adequate, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) by reference, and the UK International Data Transfer Addendum where applicable.

8. Audit Rights

On reasonable prior written request and not more than once per year (except following a Personal Data breach), Controller may audit Processor's compliance. Processor may satisfy this obligation by providing a recent SOC 2 Type II report or equivalent third-party attestation when available.

9. Security Measures

  • HTTPS/TLS 1.3 for all data in transit.
  • Database encryption at rest (Supabase-managed Postgres with AES-256).
  • Authentication via Supabase Auth with JWT tokens; admin access restricted by email allowlist.
  • Row-level security policies on every contractor-owned table.
  • Service-role keys stored only in Vercel environment variables, never client-side.
  • Audit log on contract signatures (IP, user agent, timestamp, terms hash).
  • Rate limiting on public endpoints to prevent enumeration / scraping.

10. Return / Deletion

On termination of the Agreement, Processor will, at Controller's choice, delete or return all Personal Data Processed on Controller's behalf within 90 days, and delete existing copies unless legally required to retain them.

11. CCPA — Service Provider Status

With respect to Personal Information governed by the CCPA, Processor acts as a "service provider" as defined in Cal. Civ. Code §1798.140. Processor will not (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than the business purpose of providing the services; or (c) combine the Personal Information received from Controller with personal information received from any other source.

12. Liability & Conflict

The liability provisions in the Agreement apply to any breach of this DPA. In the event of a conflict between this DPA and the Agreement, this DPA controls solely with respect to the Processing of Personal Data.

By using XRoof's services after the date above, you accept this DPA as Controller. EU/UK Controllers requiring counter-signature should email privacy@xroof.io; we'll send a counter-signed copy via DocuSign.